External Identity is a feature within Openbridge that allows external parties to perform authorizations without requiring access to your Openbridge account. This documentation provides an overview of how external identities function and important considerations to remember when using this feature.
Why Use External Identities
External identities are particularly useful when a client is reluctant to add your organization as an authorized user in their account. For example, Amazon Seller Central mandates that only an "admin" can perform app authorizations. The account owner may be reluctant to add you as an admin on their Seller account but would be willing to authorize the app themselves. In such cases, an external identity can serve as a viable solution.
While convenient, there are important considerations with this form of authorization. See "Important Considerations for External Identities" below.
How It Works
External identities operate similarly to remote identities, with the key distinction being that the authorization is initiated by an external party who lacks access to your Openbridge account.
The process of creating an external identity is quick and easy. To utilize trusted external identities, follow these steps:
Identify an external party, such as a client, who can authorize your access to their specific account, like Amazon Seller Central.
Send the external party an invite link generated from Openbridge, allowing them to authorize access without needing to log in or access your Openbridge account.
The external party clicks the invite link and proceeds through the authorization process required by the data source.
If successful, the external party will be redirected to Openbridge by the data source.
The external party will receive a confirmation page at Openbridge indicating successful completion upon authorization.
You can now access the newly established external identity when creating your pipelines.
Important Considerations for External Identities
While external identities offer a quick and convenient method of "invite" based authorizations, it is essential to understand their limitations. Consider the following points:
Limited Authorization Insight: Openbridge lacks visibility into authorizations performed by external parties. As a result, we have no insight into names, emails, or other identifying information. This limitation arises because, when you send an invite link, the external party directly performs the authorization at the respective platform, such as Amazon, Google, or Facebook. Openbridge only receives the relevant authorization tokens and nothing else. Therefore, we cannot provide information on who specifically performed the authorization.
Potential Impact on Data Collection: Openbridge is only aware of the initial link creation and the resulting authorization token. We do not know whether the link was forwarded to other individuals or which account was used for authorization. Consequently, if an authorization expires or is inadvertently revoked, Openbridge's data collection will cease. Restoring data collection will require someone at your client's organization to reauthorize access.
Lack of Authorizer Identification: You may not know the authorizer or the specific account they used for authorization. This lack of information becomes crucial when, for instance, the authorizer, like Nancy, goes on vacation. In such cases, pipelines may become deauthorized, leading to "permission" errors until access is restored by someone with the proper permissions to reauthorize Openbridge.
When utilizing trusted external identities, it is important to be mindful of these potential limitations and plan accordingly to ensure uninterrupted data collection and smooth operation.